Apologies if this is overly broad or devolves immediately - Is there a general high level guide on how to monitor and defend Qubes for Enterprise IT offices?
This is the point where I’m not 100% comfortable yet in trying to promote Qubes to others. There is an (I believe false) view I typically encounter that Qubes is simply security through obscurity. This I can counter explaining the architecture and they will be reassured learning that Qubes is essentially a stripped down Xen and Linux virtual machines. At this point I’m generally asked about how you defend it. The advice here is sound and awesome and i share this of course: Compromise recovery in Qubes OS | Qubes OS
However - this is not enough to an organization if you have a fleet of people running Qubes counting on you. You need to know how your adversary got in, what they did, and can it happen again. An incident responder needs to be able to review the logs, do forensics on the memory if the device hasn’t been restarted, and image the drive.
I basically want to be able to do this myself and describe to others:
Logging - Remote logging I am going to try with Elastic in a AppVM, the necessary pieces are implemented: WORKING: Guide for creating a logging qube (I.E. sys-log) - WIP
IDS - That’s been discussed a lot in forums, Tripwire seems a decent solution.
Drive analysis - A forensic image of the physical drive is usually simple enough. Doing it on a running system is a little trickier and I have to think about.
Memory capture - Here’s the hard part. Analyzing dom0 and the individual VM’s using volatility shuld be straightforward enough with the map files. However, the dump itself is stumping me conceptually. It seems like the options are:
Virtual machine introspection using Xen tools to dump VM’s and dump dom0 separately
-Not probable, while Xen has virtual machine introspection, Qubes is a minimized version of Xen and may not have the required modules, so you would need to add an unknown number of components to make this functional.
-Additional wrinkle - Qubes uses it’s own memory manger qmemman so this would probably be a futile direction to take.
-While you conceivably could, the issue here is that the custom Qubes tool qmemman is doing memory distribution amongst the vm’s and does not appear to have a native dump feature, while native features in dom0 (e.g. free) only show dom0. So while you could analyze dom0 using traditional means, looking into your dump of all the VM’s is an issue to reconstruct.
Dump dom0 using LiME and then dump individual running qubes.
-This seems achievable, mount a USB drive large enough for the memory and containin LiME. Dump dom0, then dump all the appVM’s with a series of commands from Dom0. This could probably be scripted.